πŸ“Œ Introduction

In today's modern web architecture, applications often rely on multiple layers such as load balancers, reverse proxies, and backend servers. While this layered approach improves performance and scalability, it can introduce subtle security flaws.

One such high-impact vulnerability is HTTP Request Smuggling β€” a technique that exploits inconsistencies in how different servers interpret HTTP requests.

βš™οΈ What is HTTP Request Smuggling?

HTTP Request Smuggling occurs when an attacker sends a specially crafted HTTP request that is interpreted differently by a front-end server (e.g., proxy) and a back-end server.

This mismatch allows attackers to "smuggle" malicious requests inside normal ones, bypassing security controls.

How It Works ?

At the core of this vulnerability lies ambiguity in handling two HTTP headers:

  • Content-Length
  • Transfer-Encoding

πŸ”„ Key Concept:

  • Front-end server processes request one way
  • Back-end server processes it differently

This leads to desynchronization in request parsing.

πŸ” Types of HTTP Request Smuggling

1. CL.TE (Content-Length + Transfer-Encoding)

  • Front-end uses Content-Length
  • Back-end uses Transfer-Encoding

2. TE.CL (Transfer-Encoding + Content-Length)

  • Front-end uses Transfer-Encoding
  • Back-end uses Content-Length

3. TE.TE

  • Both use Transfer-Encoding but interpret differently

πŸ§ͺ Example Attack Scenario

POST / HTTP/1.1 Host: vulnerable.com Content-Length: 13 Transfer-Encoding: chunked

0

GET /admin HTTP/1.1 Host: vulnerable.com

πŸ‘‰ In this case:

  • Front-end may treat request as complete after 0
  • Back-end processes the smuggled GET /admin request

🚨 Impact of HTTP Smuggling

This vulnerability can lead to serious consequences:

  • πŸ”“ Authentication bypass
  • πŸͺ Session hijacking
  • πŸ” Cache poisoning
  • πŸ“‘ Data exfiltration
  • πŸšͺ Access to restricted endpoints
  • πŸ”„ Request queue poisoning

🧰 Prevention & Mitigation

βœ… Best Practices:

Use consistent parsing rules

  • Ensure front-end and back-end servers interpret requests identicall

Disable ambiguous headers

  • Reject requests containing both Content-Length and Transfer-Encoding

Normalize requests

  • Use a single standard for request handling

Keep servers updated

  • Patch known vulnerabilities

Use Web Application Firewalls (WAFs)

  • Detect malformed HTTP requests

Strict RFC compliance

References

HTTP request smuggling

In this section, we'll explain HTTP request smuggling attacks and describe how common request smuggling vulnerabilities…

portswigger.net

Exploiting and Preventing HTTP Request Smuggling

What is HTTP Request Smuggling? This article explains the principle behind http Request Smuggling attacks, examples of…

vaadata.com